Wireshark-dev: Re: [Wireshark-dev] TCP PDU reassembly problem.
From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Fri, 25 May 2007 17:56:20 +0100
Graham Bloice wrote:
> Folks,
> 
> In the DNP3 dissector I am using tcp_dissect_pdus() to handle data
> across multiple tcp segments.  It mostly works but in the attached
> capture things go a bit awry.
> 
> The DNP3 data consist of 2 pdus, the first is 292 bytes, the second is
> 178 bytes.  The first pdu is contained in frames 1, 3 and part of 5 and
> the second is in the rest of frame 5 & frame 7.
> 
> When frame 5 is selected, the tcp tree correctly indicates the lengths
> of the two pdus and the "Reassembled TCP Segments" item is correct for
> the first pdu.
> 
> Problem 1:
> 
> The "TCP segment data" item for the first pdu is incorrect as it shows
> the whole segment size of 206 bytes instead of the 62 bytes of the first
> pdu and when the item is selected the hex window shows the whole 260
> bytes of the TCP segment instead of the first 62 bytes.
>

The attached patch fixes this, not sure that it is correct though:

> Problem 2:
> 
> The second DNP3 pdu is not reassembled at all in frame 7, I think all
> the data is there, but presume because of some upset due to the first
> issue things aren't right.
> 

This was caused by the tcp sequence in frame 7 being reset to 0 by the
sender, thus defeating the tcp reassembly code.  I have no idea with the
equipment concerned, an Equinox ESP-2 MI Ethernet to Serial Converter,
would want to do this.

> Can the tcp reassembly experts have a look at this?
> 
> 


-- 
Regards,

Graham Bloice
Index: epan/dissectors/packet-tcp.c
===================================================================
--- epan/dissectors/packet-tcp.c        (revision 21933)
+++ epan/dissectors/packet-tcp.c        (working copy)
@@ -1467,9 +1467,10 @@
                                 * Show the stuff in this TCP segment as
                                 * just raw TCP segment data.
                                 */
-                               nbytes =
-                                   tvb_reported_length_remaining(tvb, offset);
-                               proto_tree_add_text(tcp_tree, tvb, offset, -1,
+                               nbytes = another_pdu_follows > 0
+                                       ? another_pdu_follows
+                                       : tvb_reported_length_remaining(tvb, offset);
+                               proto_tree_add_text(tcp_tree, tvb, offset, nbytes,
                                    "TCP segment data (%u byte%s)", nbytes,
                                    plurality(nbytes, "", "s"));